[Libwebsockets] Settings Frame size above max / Flow control exceeded max

Andreas Lobbes Andreas.Lobbes at thinprint.com
Mon Jul 8 10:58:30 CEST 2019


Program received signal SIGFPE, Arithmetic exception.
0x00007ffff792dff5 in lws_dynamic_token_insert (len=13, 
    arg=0x55555579d8d0 "nginx/1.15.10", lws_hdr_index=65, hdr_len=6, 
    wsi=<optimized out>)
    at lib/roles/h2/hpack.c:507
507		new_index = (dyn->pos) % dyn->num_entries;

All entries in dyn have zero value

(gdb) bt
#0  0x00007ffff792dff5 in lws_dynamic_token_insert (len=13, 
    arg=0x55555579d8d0 "nginx/1.15.10", lws_hdr_index=65, hdr_len=6, 
    wsi=<optimized out>)
    at lib/roles/h2/hpack.c:507
#1  lws_hpack_interpret (wsi=0x5555557b8070, c=<optimized out>, c at entry=63 '?')
    at lib/roles/h2/hpack.c:1257
#2  0x00007ffff792b0ca in lws_h2_parser (wsi=wsi at entry=0x55555579d140, 
    in=0x55555577f437 "a\226\320z\276\224\003\312e\266\205\004", 
    in at entry=0x55555577f420 "", inlen=205, inlen at entry=228, 
    inused=inused at entry=0x7fffffff96f8)
    at lib/roles/h2/http2.c:1778
#3  0x00007ffff792d2ed in lws_read_h2 (wsi=wsi at entry=0x55555579d140, 
    buf=0x55555577f420 "", len=228)
    at lib/roles/h2/http2.c:2336
#4  0x00007ffff7930dee in rops_handle_POLLIN_h2 (pt=0x55555577f1a8, 
    wsi=0x55555579d140, pollfd=0x555555780438)
    at lib/roles/h2/ops-h2.c:261
#5  0x00007ffff791526d in lws_service_fd_tsi (
---Type <return> to continue, or q <return> to quit---
    context=context at entry=0x55555577f0e0, pollfd=0x555555780438, 
    tsi=tsi at entry=0)
    at lib/core/service.c:1022
#6  0x00007ffff7931c71 in _lws_plat_service_tsi (context=0x55555577f0e0, 
    timeout_ms=<optimized out>, tsi=tsi at entry=0)
    at lib/plat/unix/unix-service.c:168
#7  0x00007ffff7931e57 in lws_plat_service (context=<optimized out>, 
    timeout_ms=<optimized out>)
    at lib/plat/unix/unix-service.c:193
#8  0x00007ffff791541d in lws_service (context=0x55555577f0e0, 
    timeout_ms=<optimized out>)
    at lib/core/service.c:1092

Andreas
________________________________________
From: Andy Green [andy at warmcat.com]
Sent: Monday, July 08, 2019 10:39 AM
To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max

On 7/8/19 9:31 AM, Andreas Lobbes wrote:
> Hi Andy,
>
> that patch causes a SIGFPE interrupt, presumably division by zero.

gdb will give better info than strace for this kind of thing.  Probably
even valgrind will do better.  Build with cmake ..
-DCMAKE_BUILD_TYPE=DEBUG for meaningful backtraces.

> A proper strace output is a bit difficult to produce. Because of the callbacks
> it is unclear, what calls are done by the lib and what calls are done by me.
> Right before the crash some poll() calls are made,
>
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 1 ([{fd=8, revents=POLLIN}])
>
> then some read
>
> read(8, "\27\3\3\0\374", 5)             = 5
> read(8, "r\"\237\347x\37u\317T\266\1f\256\371\204\v#\305g\23Y.\5%\275\346@\352j\232\210\241"..., 252) = 252
>
> then this:
>
> munmap(0x7f4c064a9000, 135168)          = 0
>
> and then
>
> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_INTDIV, si_addr=0x7f4c05dfbff5} ---
> +++ killed by SIGFPE +++
>
> in between there are a lot calls to rt_sigprocmask(), and stat("/etc/localtime")..

What is the peer that is making the trouble?  Something I can access?

-Andy

> Regards,
> Andreas
>
> ________________________________________
> From: Andy Green [andy at warmcat.com]
> Sent: Monday, July 08, 2019 9:48 AM
> To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
> Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max
>
> On 7/8/19 8:19 AM, Andreas Lobbes wrote:
>
>> 2019-07-08 09:06:46 INF http2 settings 4 <- 0x10000
>
> ...
>
>   > 2019-07-08 09:06:46 INF lws_wsi_server_new: 0x555dc7a20a20 new ch
> 0x555dc7a39640, sid 1, usersp=(nil), tx cr 65536, peer_credit 65535
> (nwsi tx_cr 65536)
>
> ...
>
>   > 2019-07-08 09:06:46 INF WINDOW_UPDATE: sid 0 2147418112 (0x7fff0000)
>
> ... the peer sure looks unreasonable.  It told us to use 0x10000 as the
> initial tx credit which we did, and then it added 0x7fff0000 to it
> before we sent any payload... it overflows the 32-bit signed space
> allowed for it.
>
> What happens if you add a hack to force that to be corrected to not
> overflow?
>
> diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c
> index d819a0f5c..229c5bb70 100644
> --- a/lib/roles/h2/http2.c
> +++ b/lib/roles/h2/http2.c
> @@ -1584,6 +1584,10 @@ lws_h2_parse_end_of_frame(struct lws *wsi)
>                           break; /* ignore */
>                   }
>
> +               if ((uint64_t)eff_wsi->h2.tx_cr +
> (uint64_t)h2n->hpack_e_dep >
> +                   (uint64_t)0x7fffffff)
> +                       h2n->hpack_e_dep = 0x7fffffff - eff_wsi->h2.tx_cr;
> +
>                   if ((uint64_t)eff_wsi->h2.tx_cr +
> (uint64_t)h2n->hpack_e_dep >
>                       (uint64_t)0x7fffffff) {
>                           if (h2n->sid)
>
>
> -Andy
>


More information about the Libwebsockets mailing list